Tag Archives: Malware

SIDN Finds Suspected Phishing In Big Brand .NL Domains On The Increase, But Visible Abuse Declining

According to an analysis of the Netherlands’ 50 biggest brand names, the number of .nl domain names suspected of being used or intended for use in phishing has been increasing, but monitoring and intervention appears to be suppressing visible abuse such as phishing.

Continue reading SIDN Finds Suspected Phishing In Big Brand .NL Domains On The Increase, But Visible Abuse Declining

Use of .BRANDS and Efforts To Thwart Domain Name Abuse Industry Highlights For DOTZON’s Katrin Ohlmer

Criminal activities continue to be an issue and challenge for the domain name industry, and it’s one of the main issues addressed in today’s Q&A with Katrin Ohlmer, CEO and founder of DOTZON GmbH. Ohlmer cites it as a highlight and lowlight – a highlight because the industry is attempting to tackle domain name abuse and a lowlight with phishing, malware, botnets and pharming being threats to consumers putting the whole industry in a bad light and seemingly not interested in fixing the issue. Ohlmer also sees the growth in usage of .brand new gTLDs as another highlight while she says the whole domain industry could improve in terms of customer experience and customer-centric marketing and communications.

Domain Pulse: What were the highlights, lowlights and challenges of 2019 in the domain name industry, both for you and/or the industry in general?

Katrin Ohlmer:


A new awareness has been reached within the industry that many registries and registrars are responsible and taking actions against abuse, including the “Framework to Mitigate Abuse”. We started to communicate our efforts better to the community and will continue these efforts in 2020.

We noticed a growing use of domain names of .brands including the likes of .audi, .dvag and .mma – all with well beyond 1,000 registered domain names. We spotted quite a number of .brand domains “in the wild” – in print advertising, on vehicles and social media ads.


The ever-present existence of phishing, malware, botnets and pharming threats to consumers puts the whole industry in a bad light seemingly not interested in fixing this issue. The industry has to improve its communication activities within the community and to all stakeholders in 2020.

In 2020, we would like ICANN to focus again on their mission “to ensure the stable and secure operation of the Internet’s unique identifier systems”.


GDPR brought to our industry new challenges and burdens. GDPR and its consequences are an asset for our industry that personal data are not published anymore. Even though this negatively affects the interests of the trademark industry.

DP: What are you looking forward to in 2020?

KO: I’m really looking forward to welcoming the ICANN community to Hamburg in Autumn and showcasing the broad use of .hamburg domain names in the city. With and ICANN meeting taking place only for the second time ever, it will be a great opportunity for the local and national Internet community to meet the ICANN community.

DP: What challenges and opportunities do you see for the year ahead?

KO: As the next round of new TLDs is still ahead of us, .brands including some of our customers have the opportunity to showcase the many usage scenarios which they have already implemented and will be implemented in 2020.

The whole industry has to increase their communication efforts about DNS Abuse to demonstrate that they take abuse seriously. Further debates are likely whether registries and registrars will mitigate abuse beyond DNS like counterfeiting, but hopefully ICANN will stay within its remits.

Further consolidation will happen between registries, registrars and vertically integrated groups. We might also see further investments from equity investment companies within the industry.

Tech trends like Artificial Intelligence, Bitcoin, Internet of Things will improve our industry – whether process-wise, with new products or communication channels.

The topic how ICANN will consider in its actions the Public Interest – not only at the Board level, but also within the wider community – will be a challenge. A first step has been made with the proposal drafted by the Board, and further activities will likely happen in 2020.

DP: How have new gTLDs fared in 2019?

KO: We observed that the diversity of TLDs being actively used across the globe is slowly but constantly increasing. Therefore we expect a steady uptake over the next few years and establishing the new gTLDs as a valid alternative to former TLDs.

A number of the new gTLDs are doing very well – they are chosen by users because they have a meaning like .realestate, .consulting and .rich, some provide local and regional identity to users like .berlin, .bzh and .nyc, and some represent the brand online like .audi, .google and .edeka. The more generic TLDs are, the less differentiation and meaning they have making it harder to develop a long-term value proposition beyond the price.

DP: What progress do you see on a new round of applications for new gTLDs in 2020?

KO: We are currently finalising the last open issues within the Subsequent Procedures PDP Working Group. I expect that the substantive progress of our ongoing work will continue in 2020, leading to a final report being sent to the GNSO Council and later to the ICANN Board for approval.

DP: What one thing would you like to see addressed or changed in the domain name industry?

KO: I tend to repeat myself: I still think the whole domain industry could improve in terms of customer experience and customer-centric marketing and communications including lower barriers to set-up a website, easing the whole domain registration process, and setting up an email account.

For decades, customers were attracted by prices. This led to many registrations with no or very limited usage. Now it’s time to encourage existing customers to use the product they bought and improve processes for new customers making it easier to bring their website with their new domain online.

Previous Q&As in this series were with:

DomainTools Webinar: The Beginner’s Guide to Mitigating Phishing Attacks

According to the FBI, U.S. businesses alone suffer from nearly $343k in damages every hour from phishing – and this number has been going up year over year for the last five years. Phishing by definition is a fraudulent attempt to gain access to sensitive data and leverage such data for malicious purposes. Most commonly this is done by disguising malicious links to distributed malware.

In this webinar, Corin Imai, Senior Security Advisor at DomainTools will take a look at the steps to executing a phishing attack and the potential ways to help mitigate the risk.

November 14, 2018 at 10 AM PT/1 PM ET

In this webinar, you will learn:

  • Real world examples of attacks leveraging phishing vectors
  • 5 steps of executing a phishing attack – if I can do it, surely anyone can
  • 5 ways to mitigate your risk of a phishing attack

To register for this webinar, click here.

DomainTools Find Cybercriminals Using Typos to Spoof Top UK charities

Cybercriminals are using fraudulent domains to lure unsuspecting members of the public towards spoofs of well-known UK charities, for malicious purposes, according to the results of a DomainTools investigation.

Following on from the National Cyber Security Centre’s warning that cybersecurity poses the most serious threat to UK charities, DomainTools selected ten well-known and popular charitable organizations in the UK to analyse, and found that every charity selected was being spoofed online by cybercriminals, who often used typos in order to dupe unsuspecting Internet users. The team analysed domains associated with Cancer Research, The National Trust, NSPCC, Oxfam, The Red Cross, Salvation Army, Wateraid, Save The Children and Unicef. In total, over 170 domains were deemed high-risk for phishing, malware and other forms of cybercrime. Some examples of fraudulent domains with risk scores of 100 – the highest possible score – include:

  • fundraisecancerresearch[.]org
  • nationltrust[.]org
  • nspcv[.]org
  • oxfamsol-mail[.]be
  • redcroas[.]com
  • salvationarmycapitalregion[.]org
  • svaethechildren[.]org
  • sheltern[.]com
  • unicefpro[.]org
  • vistwateraid[.]org.

“It remains incredibly easy for anyone to purchase an available domain,” said Tim Helming, director of product management at DomainTools. “This is part of what helps keep the Internet open and democratic, but it also helps cybercriminals exploit users. In this case the spoofing of charity websites has the added benefit of exploiting people’s wish to donate to these charities, making them a particularly lucrative target.”

Explaining the method by which these websites will be introduced to Internet users, Helming explained “these domains will often be directed towards people via email or SMS phishing campaigns, which hope to encourage users to click on seemingly legitimate looking links such as those included above, which in turn begins another cycle of cybercrime. Phishing can be used by criminals simply to gain credit card or banking information, or as a gateway to install malware on a device or network, which leads to even more serious crimes such as data breaches and or identity fraud.”

DomainTools offers top tips for consumers to avoid falling foul of a spoof website:

  • Watch out for domains that have the pattern com-[text] in them. We’re so accustomed to seeing .com that we can easily overlook the extra text that’s appended to it with a dash.
  • Look for typos on the website, coupon, or link that is directing you – for example, check for extra added letters in the domain, such as Yahooo[.]com.
  • Look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com.
  • Watch all website redirects by hovering over URLs to see where the link will take you.Realise that if something is too good to be true, it likely is.
  • Get into the habit of hovering your mouse over links, and then looking for a pop-up that shows what domain the link points to. Typo domains can often be exposed using this method. Chrome and Firefox both have this feature.

Phishing Goes Up, Malware Down, On .CH Websites

SWITCH logoThe incidences of malware on .CH websites went down by a third (33%) in 2014, but incidences of phishing went up five-fold to 323.

SWITCH, the Swiss registry, uncovered 1,839 cases of malware last year, roughly a third below the total of 2,718 recorded in 2013. In 1,493 of these cases, registrants removed the harmful code after receiving the first notification from SWITCH.

However, there was an increase in the number of phishing cases. The number of phishing cases increased almost fivefold between the first and fourth quarters. The removal process is the same as for malware: SWITCH checks websites for phishing and notifies the holder when it is found. In 2014, SWITCH recorded 323 cases of phishing, and the phishing site was removed after the first notification in 298 of these.

Serge Droz, Head of SWITCH-CERT, SWITCH’s security team, comments: “We saw a sharp increase in the number of phishing reports SWITCH received compared with 2013. This prompted SWITCH to start notifying holders of websites affected by phishing automatically via e-mail as of 1 October 2014.”

SWITCH Fighting Malware in Switzerland

Established process now covers phishing as well

SWITCH introduced a process for removing malware-spreading code from websites back in 2010. Various partner organisations in Switzerland and abroad warn SWITCH about websites that spread malware. Where there is a justified suspicion, the holder of a website is notified and requested to remove the harmful code within one working day. The domain name is temporarily blocked for up to five days in the interests of security if this is not done, and SWITCH demands identification from the holder if the infection is not removed from the website during this time. Should the holder also fail to meet this demand, the domain name is deleted after 30 days.

In view of the sharp increase in cases, phishing is now being handled with the same priority as malware. The process involved is partially automated. Phishing is an attempt to gain access to passwords or sensitive data by illegal means. Criminal organisations set up a phishing site on an existing website without the holder’s knowledge. Where addresses of phishing sites are identified on a .ch or .li domain, SWITCH notifies the holder and hoster. The phishing site is then removed within 24 hours in 92% of cases. Droz explains: “The most common phishing targets on .ch websites in 2014 were Apple and PayPal.” By cleaning infected websites of malware, SWITCH helps to ensure the security and stability of the Internet in Switzerland. The European Union Agency for Network and Information Security (ENISA) notes in its Threat Landscape 2014 report that phishing is on the increase worldwide.

SWITCH Phishing Domains in 2014

Use of Blackhole exploit kit drastically reduced

According to ENISA, the biggest threat comes from harmful code such as worms and Trojans, which hide on websites and infect the computers of users who visit these sites using an exploit kit. This is an electronic data processing toolkit that systematically exploits weaknesses in browsers and their plugins. SWITCH identified a variety of exploit kits from its analysis of infected websites in 2014. The most commonly used last year was Angler, which took advantage of loopholes in Adobe Flash and Java. SWITCH’s observations concerning Swiss websites corroborate the ENISA report’s claim that use of the Blackhole exploit kit has been drastically reduced since those responsible were caught.

Reporting suspected phishing:

SWITCH recommends reporting it directly to the Swiss Internet Security Alliance (SISA), a joint initiative of Swiss providers of Internet and financial services and security firms. SWITCH is a founding member of SISA.





Menlo Security Finds High Risk in Trusted Websites

Menlo Security logo[news release]  Stealth cybersecurity company, Menlo Security, today released its “State of the Web 2015: Vulnerability Report.” Based on a direct interrogation and analysis of the Alexa top one million sites, Menlo Security found that more than one in three of the top domains are risky – meaning the sites are either already compromised or running vulnerable software – increasing exposure to attack for anyone visiting those sites.

In 2014, businesses lost nearly $400 billion as a result of cyber crime. As attacks become increasingly sophisticated, even browsing trusted websites and clicking on links in emails have the potential to cause significant damage and compromise devices. With more than one billion websites on the Internet and over 100,000 websites created daily, the risk from vulnerable sites is multiplying.

In total, Menlo Security scanned more than 1.75 million URLs representing over 750,000 unique domains. Key findings include:

  • More than one in 20 sites (6 percent) were identified by third-party domain classification services as serving malware, spam or botnets.
  • Over one in five (21 percent) sites were running software with known vulnerabilities.
  • Sites in categories that are typically “trusted” – including Computers and Technology, Business, and Shopping – were the top three sources of vulnerable sites.
  • Of the 2.5 percent of sites that were “uncategorized,” a significant proportion (16 percent) was running vulnerable software.

“Respected and trusted websites like Forbes.com and jamieoliver.com have been used to deliver zero-day malware to unsuspecting visitors. These kinds of attacks are happening with increasing frequency because so many sites are running vulnerable software but are routinely classified as ‘safe,'” said Kowsik Guruswamy, CTO of Menlo Security. “The current generation of security tools is falling behind in the race to stop attacks. Today’s security challenges call for an entirely new approach to preventing malware from infecting user’s systems.”

To read Menlo Security’s State of the Web 2015: Vulnerability Report visit: menlosecurity.com/resources/Vulnerability_Report_Mar_2015.html

About Menlo Security

Menlo Security, a stealth cyber security startup, is eliminating the threat of advanced malware by introducing a new security model. The company’s solution is currently used by some of the world’s largest enterprises. Menlo Security was founded by experienced security executives from Check Point Software and Juniper Networks, in collaboration with renowned academics from the University of California, Berkeley. Backed by General Catalyst Partners and Osage University Partners, Menlo Security is headquartered in Menlo Park, California. Visit www.menlosecurity.com.

This news release was sourced from:

Threatpost: Researchers Work At Predicting Malicious Domains

“A typical phishing or Web-based malware attack usually isn’t terribly complex,” says a report on Threat Post. “But they need a few things in order to work, and one of the key components often is a malicious domain. Researchers spend a lot of time identifying and taking these domains down, but some researchers now are trying to stay a step ahead of the game by predicting which domains will be used for malicious purposes.”

According to the report, “Like bored tweens at the mall, malicious domains tend to cluster together, showing up in large groups at certain hosting providers. Often, these are so-called bulletproof hosting companies that aren’t overly concerned with what kind of activity is emanating from the domains on its platform.”

Dozens of domains are often registered at a time, “typically with nonsensical alphanumeric URLs, and use them as needed, discarding them whenever they’re identified as malicious.”

To counter these attackers, researchers at Palo Alto Networks have been looking at their behaviours. And as a result they have “identified a few things that can help them predict which domains may end up being malicious at some point. They found that one domains are identified as malicious and blacklisted by reputation services, the attackers will abandon them. Then, after a period of time, the domain is removed from the reputation systems and other blacklists and will fall back into a pool of domains that are useful to attackers. In research presented at the Virus Bulletin conference here Wednesday, Wei Xu, Yanxin Zhang and Kyle Sanders of Palo Alto said that they have developed a formula that enables them to predict which of those domains will be used by attackers again.”

To read more of this Threat Post report, go to:

Concerns Small Number Of New gTLDs Hit By Phishers

There are reports that new gTLDs are already a boon for phishers with a report in Infosecurity Magazine saying “it’s s a worrying trend that shows fresh addressing to be a boon for phishers and spammers — at least at first.”The report claims “there appears to be a hierarchy establishing itself in terms of who uses which and for what purposes — and some TLDs are more likely than others to be exploited by the bad guys.””Out of curiosity, we checked our honeypot logs for the past 60 days to see if any malicious activity came from these new TLDs,” explained Jerome Segura, a researcher at Malwarebytes, in a blog, adding that many of them have already been compromised.”It is important to note that the majority of the domains involved were not registered by the bad guys themselves,” he said. “Instead, what we observed are websites that have been hacked and used for nefarious purposes.””However, this doesn’t mean that cyber crooks won’t jump on the occasion to leverage these new top-level domains. In fact, just a few days ago the Internet Storm Center reported that phishing scams were already using the ‘.support’ TLD.”Some TLDs are more likely to be exploited by the bad guys. For example ‘.pharmacy’ would be a good candidate for spammers pushing various drugs even though there are some restrictions as to who is allowed to register their site.”While the numbers and risk is very small, it is the case when accessing any website that there is always a small chance it could be hacked and used for nefarious purposes.

Malicious Phishing Domains Grow Globally As Phishers Abuse Free TLDs: APWG Report

Incidences of phishing continued to explode in China in the second half of 2013, where Chinese phishers are victimising the country’s growing online population the Anti-Phishing Working Group’s Global Phishing Survey for Second Half of 2013 found.The report found Chinese phishers were responsible for 85 percent of the domain names that were registered for phishing. But it wasn’t all bad news on the phishing front with the average uptimes of phishing attacks declining and close to historic lows, pointing to some success by anti-phishing responders.Additionally, the companies (brands) targeted by phishing targets were diverse, with many new targets, indicating that e-criminals are looking for new opportunities in new places. The report also found mass hackings of vulnerable shared hosting providers led to 18 percent of all phishing attacks.While the number of phishing URLs reported in the second half of 2013 numbered in the millions, the number of unique phishing attacks and domain names used to host them was much smaller. In the six month period there were at least 115,565 unique phishing attacks worldwide, nearly a 60 percent increase over the 72,758 seen the first half of 2013, but less than the 123,486 attacks we observed in the second half of 2012.Most of the growth in attacks came, according to the APWG report, from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.The phishing attacks occurred on 82,163 unique domain names. Again, this is up from the 53,685 domains used in the first half of 2013. The growth was much larger than the increase in the number of domain names in the world that grew from 261 million in April 2013 to 271.5 million in November 2013.Of the 82,163 phishing domains, the report identified 22,831 domain names that the APWG believes were registered maliciously by phishers, the highest number in the seven years the APWG has been counting, 19,348 (85%) were registered to phish Chinese targets. This is significantly higher than the 12,175 found in the first half of 2013, and the 5,835 found in the second half of 2012.And of these 22,831 registered maliciously, they were registered in 39 different TLDs at registrars in China, the US, and Europe and hosted in China, the US, and elsewhere. The registrations clustered around ten TLDs including the .TK, .CF, .GA, and .ML registries that are all run by Freenom, a Netherlands-based company that offers free domain name registrations. The company makes money through monetising the traffic to the expired domains.As the report notes, Freenom has operated .TK under the free model for several years, and added .CF, .GA, and .ML to its programme during the second half of 2013. Freenom gives accredited interveners access to directly suspend domains in the .TK registry . (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) However, the mitigation of the malicious registrations lagged in Freenom’s new spaces — .CF, .GA. and .ML all had uptimes that were above the global average and median.Brands were, as usual, a target, with 681 unique target institutions during the six month period, down slightly from the 720 found in the second half of 2012. Of the 681 targets that were phished in the second half of 2013, almost half of them — 324 to be precise — were not phished in the first half of 2013. This, the report notes, is an unusual amount of “churn” or turnover and shows phishers trying out new targets. They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing.Overall, the TLD with the most phishing attacks for the six months was .com with 46.4 percent (and 42.4% of global domain registrations) followed by .net (5.5%) and .tk (Tokelau – 4.5%). The .tk TLD is one of the free domains the report noted. Following was .br (Brazil – 3.2%), IP-based attacks (2.1%), .pn (Pitcairn Island – 1.9%), .me (Montenegro – 1.8%), .info (1.6%) and .ru (Russia – 1.5%). The remaining 27.3 percent came from 201 TLDs.But the TLDs with the most phishing domains per domains registered was .np (Nepal) with 27.1 phishing domains per 10,000 registrations and 32,500 registrations. In the top ten, those TLDs with more than 100,000 registrations were .pw (Palau) with a phishing per 10,000 domains score of 26.4 who came in second, .cl (Chile – 18.2) was fourth, .gr (Greece – 10.2) was sixth, .id (Indonesia – 10.2) and .br (Brazil – 9.1).For registrars, the top nine with domains used for phishing on a registrations per 10,000 domains are located in China. This is due, the report notes, to the fact that Chinese phishers tend to register domain names for their phishing, and use Chinese registrars regularly. Domains registered at the Chinese registrars were often used to phish Chinese targets such as Alibaba, Taobao.com, and CCTV, but were also used to occasionally phish outside targets such as Facebook and PayPal.For more information, check out the 30 page APWG report available for download from:
There is also a Phishing Activity Trends Report for the 4th Quarter 2013 titled Unifying the Global Response To Cybercrime available from:

Regulated TLDs Generally Safer Than Unregulated TLDs: Architelos Study

Not all TLDs are equal. And some are safer than others. That’s the finding of a report from Architelos that looked at the number of abusive domain names in 72 TLDs around the world. The TLDs surveyed accounted for over 257 million domain names, or over 99 percent of the total domains in the world’s registries.The report found that “low prices, ineffectual registrars, and a lack of compliance and enforcement tend to attract abusive registrations, whereas restrictive registration policies and higher prices tend to deter abusive domain registrations.”Further, “TLD registries can be distinguished by how resistant they are to abusive registrations, and how active or passive the registry is in detecting and mitigating abuse.”The survey was conducted on the eve of the introduction of hundreds of new TLDs as a starting point to help determine if the new TLDs are more or less safe and secure than those already currently in existence.The survey sought to benchmark the “current state” of TLDs so any level of change could be determined based on facts and not ideological positions.The analysis was built on data in the Architelos’ patent-pending NameSentry Abuse Detection and Mitigation Service. Since its introduction in November 2012, NameSentry has been tracking and analysing abusive domain activity across the internet.Of the TLDs surveyed, it was found 0.4 percent of all domain names registered, or roughly 4,000 abusive domains per million, that are considered abusive.And 90 percent of these abusive domains were found when they were advertised in spam, with six percent involved in spreading malware. Phishing involved above 150,000 unique domains per year. Those domains involved in command-and-control botnets though are relatively rare, but have a disproportionate importance.Overall 15 TLDs, or 21 percent of those surveyed, were considered to have an excellent rating. Those included the only two gTLDs to get the excellent rating, .tel and .xxx, as well as .no, .nz, .ch and .au.Those with a good rating made up half the sample with 36 of the TLDs and included the two largest ccTLDs, .tk and .de, and .nl, the fifth largest ccTLD.The largest TLD of them all with over 40 percent of all registrations, .com, came in the next category, “exercise caution”, along with 13 other TLDs including .at, .eu, .uk, .org and .net.And there were seven TLDs (10%) with the worst rating, determined to be “at risk”, and this group included .info, .us, .ru, .asia and .cn.The full report from Architelos is available for download from: